Sun Java System Access Manager 7 2005Q4 Technical Overview

Authentication Plug-In Modules

An authentication module is a plug-in that collects user information such as a user ID and password, and then checks the information against entries in a database. If a user provides information that meets the authentication criteria, then the user is granted access to the requested resource. If the user provides information that does not meet authentication criteria, the user is denied access to the requested resource. Access Manager is installed with 15 types of authentication modules. The following table provides a brief description of the 15 default authentication module types.

Table 3–1 Access Manage Authentication Module Types

Authentication Module Name  


Active Directory

Uses an Active Directory operation to associates a user ID and password with a particular Active Directory entry. You can define multiple Active Directory authentication configurations for a realm. Allows both LDAP and Active Directory to coexist under the same realm. 


Allows a user to log in without specifying credentials. You can create an Anonymous user so that anyone can log in as Anonymous without having to provide a password. Anonymous connections are usually customized by the Access Manager administrator so that Anonymous users have limited access to the server. 


Allows a user to log in through a personal digital certificate (PDC). The module can require the use of the Online Certificate Status Protocol (OCSP) to determine the state of a certificate. Use of the OCSP is optional. The user is granted or denied access to a resource based on whether or not the certificate is valid. 

HTTP Basic 

Allows authentication to occur with no data encryption. Credentials are validated internally using the LDAP authentication module. 

Java Database Connectivity (JDBC)

Allows authentication through any Structured Query Language (SQL) databases that provide JDBC-enabled drivers. The SQL database connects either directly through a JDBC driver or through a JNDI connection pool. 


Allows authentication using LDAP bind, a Directory Server operation which associates a user ID password with a particular LDAP entry. You can define multiple LDAP authentication configurations for a realm. 


Allows user to self-register. The user create an account, personalizes it, and accesses it as a registered user without the help of an administrator. Implemented similarly to personalized sites such as, or 


The Mobile Station Integrated Services Digital Network (MSISDN) authentication module enables authentication using a mobile subscriber ISDN associated with a device such as a cellular telephone. It is a non-interactive module. The module retrieves the subscriber ISDN and validates it against the Directory Server to find a user that matches the number. 


Uses an external Remote Authentication Dial-In User Service (RADIUS) server to verify identities. 

Security Assertion Markup Language (SAML) 

Receives and validates SAML Assertions on a target server by using either a web artifact or a POST response. 


Uses Secure Computing’s SafeWord PremierAccessTM server software and SafeWord tokens to verify identities.


Uses RSA ACE/Server software and RSA SecurID authenticators to verify identities. 


Solaris and Linux modules use a user’s UNIX identification and password to verify identities. 

Windows Desktop Single Sign-On (SSO) 

Also known as Kerebos authentication, this module is specific only to the Windows operating system. Allows a user who has already authenticated with a key distribution center to be authenticated with Access Manager without having to provide the login information again. 

Windows NT 

Uses a Microsoft Windows NTTM server to verify identities.

After granting or denying access, Access Manager checks for information about where to redirect the user. Access Manager uses a specific order of precedence when checking this information. The order is based on whether the user was granted or denied access to the protected resource, and on the type of authentication specified. Five types of authentication exist including Realm-based and Role-based authentication. See Authentication Type Configurations for more information about authentication types.

You can use the Access Manager Console to enable and configure authentication module types that come with Access Manager by default. You can also create and configure multiple instances of a particular authentication module type. An instance is a child entity that extends the schema of a parent authentication module and adds its own subschema. See Sun Java System Access Manager 7 2005Q4 Administration Guide for detailed information about enabling and configuring default authentication modules types and authentication module instances.

You can also write your own custom authentication module or plug-in to connect to the Access Manager authentication framework. For more information about writing custom authentication modules, see the Sun Java System Access Manager 7 2005Q4 Developer’s Guide.